--- title: ClientCredentialsOAuth2ClientFilter description: Authenticates OAuth 2.0 clients with the OAuth 2.0 client_credentials grant type. Gets an access token from an Authorization Server with the specified scopes. Injects the access token into the inbound request as a Bearer Authorization header. component: pinggateway version: 2026 page_id: pinggateway:reference:ClientCredentialsOAuth2ClientFilter canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/ClientCredentialsOAuth2ClientFilter.html revdate: 2026-02-11T12:00:00Z section_ids: ClientCredentialClientCredentialsOAuth2ClientFilter-usage: Usage ClientCredentialsOAuth2ClientFilter-properties: Properties ClientCredentialsOAuth2ClientFilter-example: Examples ClientCredentialsOAuth2ClientFilter-moreinfo: More information --- # ClientCredentialsOAuth2ClientFilter Authenticates OAuth 2.0 clients with the OAuth 2.0 `client_credentials` grant type. Gets an access token from an Authorization Server with the specified scopes. Injects the access token into the inbound request as a Bearer Authorization header. The `"endpointHandler"` authenticates the client with an client authentication filter, such as a [ClientSecretBasicAuthenticationFilter](ClientSecretBasicAuthenticationFilter.html). When an access token expires, this filter requests a new access token. Use this filter in a service-to-service context where a service needs access to resources protected by OAuth 2.0. ## Usage ```none { "name": string, "type": "ClientCredentialsOAuth2ClientFilter", "config": { "tokenEndpoint": configuration expression, "clientId": configuration expression, "scopes": [ configuration expression, ... ], "endpointHandler": Handler reference } } ``` ## Properties * `"tokenEndpoint"`: *configuration expression<[url](preface.html#definition-url)>, required* The URL to the Authorization Server's OAuth 2.0 token endpoint. * `"clientId"`: *configuration expression<[string](preface.html#definition-string)>, optional* The OAuth 2.0 client ID. If you provide this, use the same identifier as you use in the client authentication filter of the `"endpointHandler"`. - `"scopes"`: *array of configuration expression<[strings](preface.html#definition-string)>, optional* Array of scope strings to request from the Authorization Server. Default: Empty, request no scopes. - `"endpointHandler"`: *Handler [reference](preface.html#definition-reference), optional* The Handler to exchange tokens on the authorization endpoint. Configure this property as a [Chain](Chain.html), using one of the following client authentication filters: * [ClientSecretBasicAuthenticationFilter](ClientSecretBasicAuthenticationFilter.html) * [ClientSecretPostAuthenticationFilter](ClientSecretPostAuthenticationFilter.html) * [PrivateKeyJwtClientAuthenticationFilter](PrivateKeyJwtClientAuthenticationFilter.html) ```json { "name": "myHandler", "type": "Chain", "config": { "handler": "ForgeRockClientHandler", "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "myConfidentialClient", "clientSecretId": "my.client.secret.id", "secretsProvider" : "mySystemAndEnvSecretStore" } } ] } } ``` Default: [ForgeRockClientHandler](ForgeRockClientHandler.html) ## Examples Find an example in [Client credentials grant with PingAM](../gateway-guide/oauth2-clientcredentials.html). ## More information [org.forgerock.openig.filter.oauth2.client.ClientCredentialsOAuth2ClientFilterHeaplet](../_attachments/apidocs/org/forgerock/openig/filter/oauth2/client/ClientCredentialsOAuth2ClientFilterHeaplet.html) [org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilterHeaplet](../_attachments/apidocs/org/forgerock/openig/filter/oauth2/OAuth2ResourceServerFilterHeaplet.html) [OAuth2ResourceServerFilter](OAuth2ResourceServerFilter.html) [The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749) [The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750)